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Abstract 
This memo allocates code points for four new elliptic curve domain 
parameter sets over finite prime fields into a registry that was 
established by the Internet Key Exchange (IKE) but is used by other 
protocols. 
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1. Introduction 


[RFC5639] defines new elliptic curve domain parameters for curves 
over a number of different prime fields, each with a "twisted" 
variant. These curves have a number of interesting security 
properties (as described in [EBP]) that make them desirable to use. 


IANA maintains a registry for [RFC2409] to map complete domain 
parameter sets into easily referenced numbers. While [RFC2409] is 
deprecated, other protocols, for example [IEEE802.11] and [RFC5931], 
refer to this registry for its convenience. Therefore, this memo 
instructs IANA to allocate new code points for the Brainpool curves 
defined in [RFC5639] to the registry established by [RFC2409] for use 
by other protocols. 


1.1. Requirements Language 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 


"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in RFC 2119 [RFC2119]. 


2. Brainpool Elliptic Curves 


[RFC5639] defines several elliptic curves over finite prime fields 
(ECP, in the parlance of [RFC2409]). The domain parameter sets for 
each of the elliptic curves defined in [RFC5639] are copied here for 
convenient reference. 
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The equation for all elliptic curves defined here is: 


y^2 = x*3 + ax + b (mod p) 
Domain parameter sets consist of: 
o p: the prime 
o a, b: parameters to the equation of the curve 
Oo x, y: the coordinates of the generator for the group, G 
o q: the order of the group formed by the generator G 
o h: the co-factor 
o z: the "twist" (for conversion into twisted curves) 


[RFC5639] defines elliptic curves over seven (7) prime fields with a 
random and a "twisted" variety for each, for a total of fourteen (14) 
distinct curves. However, some of those curves are not particularly 
useful: the 160-bit curves provide only 80 bits of strength and that 
is too small to be of use in current cryptographic applications, and 
there is no standard hash function to use with the 196-bit and 
320-bit curves -- it would make more sense to use the 224-bit and 
384-bit curves, respectively, instead. For this reason, the curves 
defined over 160-bit, 192-bit, and 320-bit primes are not being added 
to the registry created by [RFC2409]. 


The twisted curves in [RFC5639] are isomorphic to the random curves 
of the same length. The curve parameter "a" for the twisted curves 
equals -3 mod p, and there are certain arithmetical advantages to 
using such curves. It is possible to convert a point from a random 
curve (x,y) into a point on the twisted curve (x’, y’) and back again 
using this equation: 


(x’,y’) = (x*z^2, y*z%3) 


This would allow an implementation to internally use the twisted 
version of the curve, taking full advantage of the arithmetical 
advantages, while exchanging points on the random versions of the 
curve with peers. 


Therefore, the twisted curves are not being added to the registry 
created by [RFC2409]. Implementations that desire to use the twisted 
curves internally MUST refer to [RFC5639] for the complete domain 
parameter sets, only the "twist" is defined here. 
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2.1. Domain Parameters for the 224-Bit Curve 
Curve-ID: brainpoolP224r1 
p = D7C134AA264366862A18302575D1D787B0 9F075797DA8 9F57EC8COFF 
A = 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A5 9CAD29F 43 
B = 2580F63CCFE44138870713B1A923 69E33E2135D266DBB372386C400B 


x = 0D9029AD2C7ESCF4340823B2A87DC68C 9E4CE3174C1E6EFDEE12C07D 


y = 58AA56F772C0726F24C6B8 9E4ECDAC2 435 4B9E 9 9CAA3F6D3761402CD 


q = D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7 93 9F 


z = 2DF271E14427A346910CF7A2E6CFA7B3F 484E5C2CCE1C8B730E28B3F 


h = 1 
2.2. Domain Parameters for the 256-Bit Curve 
Curve-ID: brainpoolP256r1 
p = A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377 


A = 7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9 


B = 26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6 


x = 8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262 


y = 547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997 


q = A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7 


Z = 3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0 


h= 1 
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2.3. Domain Parameters for the 384-Bit Curve 
Curve-ID: brainpoolP384r1 


p = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB711 
23ACD3A729901D1A71874700133107EC53 


A = 7BC382C63D8C150C3C72080ACE05AFA0C2BEA2 8E4FB22787139165EFBA91F9 
OF 8AA5814A503AD4EB04A8C7DD22CE2 826 


T 


B = 04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62 
D57CB4390295DBC9943AB78696FA504C11 


1880EA53EEB62 


x = 1D1C64F068CF45FFA2A63A81B7C13F 6B8847A3E7 7EF14FE3DB7FCAFEOCBD10 
E8E826E03436D64 6AAEF87B2E247D4AF1E 


y = 8ABE1D7520F 9C2A45CB1EB8E95CFD552 62B70B2 9FEEC58 64E1 9C054FF99129 
280E4646217791811142820341263C5315 


q = 8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425 
A7CF3AB6AF 6B7FC3103B883202E9046565 


z = 41DFE8DD399331F7166A66076734A8 9CD0D2BCDB7D068E44E1F378F41ECBAE 
97D2D63DBC87BCCDDCCC5DA3 9E8589291C 


h= 1 


2.4. Domain Parameters for the 512-Bit Curve 
Curve-ID: brainpoolP512r1 
p = AADDIDB8DBE9C4 8B3FD4E6AE33C9FC07CB308DB3B3C 9D20ED6639CCA703308 


717D4D9B00 9BC66842AECDAI 2AER6A380E62881FF2F2D82C68528AA6056583A 
48F3 


A = 7830A3318B603B89E2327145AC234CC594CBDD8D3DF 91610A83441CAEA98 63 
BC2DED5D5AA8253AA1 0A2EF1C98B9AC8B57F1117A72BF2C7BIETCIAC4D7T7FC 
94CA 


B = 3DF91610A83441CAEA98 63BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117 
A72BF2C7B9ETC1IAC4D77FC94CADC083E67984050B7 5EBAE5DD2 80 9BD638016 
F723 


x = 81AERE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D009 
8EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D504740 6A5E688B352209BCB9 
F822 
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ho = 
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7DDE385D566332ECCOBRABFA9CF7822FDF209F70024A57B1AA0N00C55B881F81 
11B2DCDE4 94A5F 48 5E5BCA4BD8 8A2763AED1CA2B2FA8F0540678CD1EOF3AD8 


0892 


AADD 9DB8DBE9C4 8B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308 


70553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA9 


0069 


12EE58E6764838B69782136F0F2D3BA0 6E27695716054092E60A80BEDB212B 
64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBASEEBOF35DBD29D9 


22AB 


3. IANA Considerations 


IANA has assigned four values from the unassigned portion of the 
"Group Description" component of the 
the registry by appending Table 1 to the registry table. 


+---------- +—----------------------- 
| Value | Group Description 
+---------- 4+----------------------- 
| 27 | 224-bit Brainpool 
| | ECP group 
| | 
| 28 | 256-bit Brainpool 
ECP group 
| 29 | 384-bit Brainpool 
| | ECP group 
| | 
| 30 | 512-bit Brainpool 
| | ECP group 
+---------- 4+—----------------------- 
Table 1: 
4. Security Considerations 


+ 
| 
+ 
| 
| 
| 
| 


| 
| 
| 
| 
| 
+ 


[IANA-IKE] registry and updated 


Section 2.1 


RFC 6932, 
Section 2.2 


RFC 6932, 
Section 2.3 


RFC 6932, 
Section 2.4 


———— + — + 


| 
| 
| 
| 
| 
+ 


Not for RFC 2409 


Not for RFC 2409 


Group Description Updates 


[EBP] describes the security properties of the curves referenced 
. The curves support security levels of 112 


here 
(Sec 


tion 2.2), 192 (Section 2.3), 


and 256 


( 


Section 2.1), 128 


(Section 2.4). These 


security levels assume that when these elliptic curves are used with 
discrete logarithm cryptography, 
man, that the private key used is a uniformly random number in 
where q is the order from the curve’s domain 


Hell 
the 


Harkins 


range [1..(q-1)], 
parameter set. 


Informational 


for example elliptic curve Diffie- 


In order to achieve system security commensurate with 
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6. 


6. 


the security level of a particular elliptic curve, it is incumbent 
upon an implementation to choose key derivation functions, hash 
functions, pseudo-random functions, and ciphers according to the 
recommendations from [SP800-57]. 


Use of Brainpool Curves 


The notes in Table 1 are an administrative prohibition, not a 
technical one. The notes are there because, although [RFC2409] has 
been deprecated, it is still widely used. There is a desire among 
some in the IETF to not do anything that would prolong the use of 
[RFC2409], and the addition of these curves was perceived as doing 
just that. The registry could not have been updated without 
including notes to indicate that these curves are not for use with 
[RFC2409] and not updating the [RFC2409] registry would have a 
detrimental affect on the other protocols that use it. 
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Appendix A. 


Brainpool ECC for IKE Group Registry 


Test Data 


May 2013 


This section provides some test vectors for example Diffie-Hellman 


key exchanges using each of the curves defined in Section 2. 


following notation is used in subsequent sections: 


o dA: the secret key of party A 


o x_qA: the x-coordinate of the public 


o y_qA: the y-coordinate of the public 


o dB: the secret key of party B 


o x_qB: 
o y_qB: 
O X48 


the x-coordinate of the public 


the y-coordinate of the public 


key of party A 


key of party A 


key of party B 


key of party B 


completion of the Diffie-Hellman computation 


Oo yZ: 


completion of the Diffie-Hellman computation 


A.1. Test Vector for brainpoolP224r1 


dA = 
7C4B7A2C 
159B495E 


x_qA = 
B104A67A 
8C6BDCF2 
y_qA = 
46D782E7 
5B750A94 


dB = 
63976D4A 
6FFA28FB 


x_qB = 
2A97089A 
DO7A874E 
y_qB = 
9B900D7C 
4D59D25B 


Harkins 


8A4BAD1F 


6F6E85E1 


BB7D79CC 


4EC1825E 


O955DB7C 


1539E8EC 


FDB5F60C 


AE6CDOF6 


9296147B 


77A709A7 


D8404301 


DD18DEFE 


71B21A4B 


97276B8C 


AC5949C5 


F55D9656 


574E1278 


A1BA61BB 


6A4660CA 


DBBF5849 


8EDB2 6BC 


9D0507C0 


245B536F 


95B546FC 


Informational 


64CC4778 


22367DD8 


68BA0769 


3E74D648 


14D8C2B9 


29F862E4 


The 


the x-coordinate of the shared secret that results from 


the y-coordinate of the shared secret that results from 
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x_Z 
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312DFD98 783F9FB7 7B970494 5A73BEB6 
CAB574EB 


y_Z 


6F800811 D64114B1 C48C621A B3357CF9 
012B3C98 


A.2. Test Vector for brainpoolP256r1 


dA = 


0411 


EB8B1 


BCCO55F1 


x_qA = 
78028496 
O015F60C5 
y_qA = 
A2AE1762 
0CD10098 


dB = 
06F5240E 
81F99A16 


x_ql 


B= 


8EO7E219 
FB240B63 


y_q! 


B = 


148EA1D7 
9EBBF47B 


E2BC681B 
1AE49699 


B5ECAAB3 
CCCOD206 
A3831C1D 


TBOSF92B 


ACDB9837 
B8D804D3 


BA588916 
5341F0DB 


D1E7E54B 
24FDE40D 


xX_Z 


05E94091 
7A16DD2C 


y_Z 


6BC23B67 
B137628F 


5549E9F6 
C2E23708 


O2BC5A01 
E6FD134C 


CE8E3996 


C8B6C12E 


3B2E9FC4 


45DB1E02 


DCCBE3B6 5DOF967D 


3F496E42 38696A2A 


15B05283 313DD1A8 


C9E4D26B 4113BC4F 


20F03F8D 


BC96D482 


C5B0 6AA3 


9555B6C9 


A4A75693 


9438CEEA 


1E3C0C39 


74C8AA83 


OA2F464C 


AC90629C 


716E3746 


107DAAD8 


A.3. Test Vector for brainpoolP384r1 


dA = 
014EC075 5B78594B A47FBOA5 6F617304 
7322E70D 79D828D9 7E095884 CA72B73F 


Harkins 


AFE6F09B 4D44BBE8 


4B6C87BA 9CC3EEDD 


Gl 
N 


2F2ACFC1 610A3B 


18B63BEE 5D7AA694 


6ABA79B4 BF291987 


B94232FF BBC350F3 


5B4331E7 4BA1A6F4 
DABD5910 DFOFA76A 


Informational 


May 2013 


[Page 10] 


RFC 6932 


x_qA = 
45CB26E4 
01253327 
y_qA = 
8173A1C5 
F7026C5D 


dB = 
6B461CB7 
2CBCD550 


x2 = 
O4CC4FF3 
E48F3AFE 
yas 
7F465F90 
E7F1DE22 
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384DAF 6F 
78F3B8D3 


4AFFATE7T 
32DC530A 


9BDOEA51 
A015C900 


2EE4BE8D 


3FC30AF9 


A4FEE0O35 


68EE4748 


DCCCBO7A 


9A2F370A 


BD69AFB8 
AB5D0508 


B7768853 
F50CA358 


81D0E1E1 
2CD89C85 


9A87D682 
95B976F3 


ED1A9111 


CE28CA33 


E39BDB88 


7ED80448 


F24E0ACC 


1F98D3FA 


F828A214 
5SF5A01A9 


07B9A38B 
099B30DE 


D12C0DC2 
9BB4B4B7 


8815D8CE 
52995750 


25C209B0 


86D59E2C 


5D509D22 


58D31D84 


529955B3 


73FD0C07 


EB9716D6 
382D05BF 


.4. Test Vector for brainpoolP512r1 


dA = 

636B6BEO 
A379CFE1 
41A383B9 


x_qA = 

0562E68B 
7A39D17E 
B72AE42F 
y_qA = 

A7CA2D81 
3AF9F9C3 
51B275B2 


482A6C1C 
59559E35 
5C262B98 


9AF7CBFD 
C2166499 
4FB75321 


91E21776 
CAD59998 
BE6B7DEE 


41 AATAET 
75818253 
3782874C 


5565C6B1 
389571D6 
5S1AFC3EF 


A89860AF 
D7007954 
978EFC73 


dB = 

OAF4E7E6 
FF205B66 
F2E9EE80 
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D52EDD52 
D381ECE7 
3A1F236F 


907BB8DB 
2314E6A6 
B96A1799 


B245E983 
91175FC1 
CE6FE333 


6883B777 
A994977C 
0971CCDA 


BC1F582F 
8140B90B 
43EA642E 


AB3992A0 
EAO79CEA 
B86E5C8B 


7AD1B5C6 
B5EE69A9 


B74F4DF5 
68497F49 


7CD9B3CA 
6E1224A8 


3F99E316 
8D72CE1E 
4A142FF9 
8F7A95C6 
6D7C8077 


47C632E1 


6ABC59F1 
72D96698 


392DB94C 
95D28BAC 


FF11C199 
56AD8252 


AA308D55 
1F311AFB 


BB696EC1 
06961DBA 
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92E0C32F 
5CO058B4E 


8E4A4E3A 
AB8CC859 


A0B5A826 
61711D54 


1CFCC986 


7B4666E8 


FBCC5CFE 


35A347AC 


72B92FCB 


2F1423EC 


TAF 7C75E 
FE3FF64E 


ECEA2 660 
OCFO03A78 


161ECC42 
658BA8A1 


1C1DC613 
378AA81F 


ODF11892 
5SAE6422E 
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x_qB = 

5A7954E3 
BFEE2BFC 
BADE4F74 
y_qB = 

96D14621 
OC54C0D4 
2CAD1A86 


XA S= 

1EE8321A 
2BB72323 
2F85C812 
YAS 

2632095B 
251F0831 
08631875 


Dan Harkins 
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2663DFF1 
43714D89 
636B97EA 


A9283A1B 
9A47C038 
1ECA55A7 


4BBF 93B9 
6208AC8F 
BEDEE23A 


7B936174 
097C50D0 
B58B54EC 
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1AE24712 
BBDB6D24 
ACE739E1 


ED84DE8D 
07D171DD 
1954EE1B 


CF8921AB 
1A483E79 
C5B210E5 


D87419F2 
D807BBD3 


6B708AC2 
AEB7F0C3 


1720D323 


D64836B2 
544B72CA 
A35E04BE 


209850EC 
461A00E0 
811B191E 


B41FD2FA 
2CFED026 
DASA4F 9F 
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F369B1D1 
O7B6A2D5 
E 9EAABA6 


94089 


C0758B11 
AEF 7B7CE 


9B7066D1 
D5F6921C 


8DCADEED 
ADB4C000 
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B92877D6 
25F862E8 


441179DC 
01C7753E 


984EFO8C 
E9D36050 


7E410A7E 
60085622 
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